The Sword & The Rose
? CodeMasters
1990
You will need following:
1. Original game
2. An Amiga or WINUAE
3. Action Replay or ROM image
4. Pencil and paper
5. ARIV
6. Kick 2.0 or higher
7. One blank DD disk 🙂
8. RNWarp by Ferox
Start by backing up the original game disk. As usual, this is like most CodeMasters games
a Copylock protected one.
The main loader and game files are encrypted and needs to be decrypted by the copylock.
I have chosen to show how to crack copylocks, by wire key into the encrypted code, but a single filing is also a possibility!
First of all we need the copylock key. We can acquire this by finding the key calculation routine in the copylock and compare it with the output from RNWarp.
Enter ARIV and read out a chump of your copied disk: ? RT 0 20 50000 ?
Search for typically sign for a copylock: ? F 48 7A,50000 ?. ARIV returns six address all with $10 between. This tells us, that there are three copylocks in the part of disk that we read out. There are ? only ? there three copylcoks on disk and they are all most identical, which means that they can be cracked in the same way.
Activate the Rob Northen Copylock decrypter: ? ROBD ?.
Disassemble the first address ARIV returns and stop when the copylock?s key calculation routine appears:
We are interested in the code I marked with green in the picture above. Take note of it, so we can compare it with the output from RNWarp.
Insert the original game disk and run RNWarp under CLI: ? RNWARP.EXE VIEW ?
The key calculation routine is ? SUB.L (A0)+,D6) ?. This gives us the key ? B2 19 19 57 ?.
Enter ARIV again and read out the same amount of tracks: ? RT 0 20 50000 ?. Enable the decrypter: ? ROBD ?.
Disassemble start of the first copylock routine (address 52C00) and watch out for following code:
The copylock key needs to be wired into address 52FEC. After that, we set register D1 to #0. This will emulate Copylock in the best possible way. After that, we need to branch past the whole disk accessing part.
Continue to disassemble a few lines further:
The registers are restored at address 5301E, so this must be our branch address.
Assemble address 52FEC and wire key in:
We are still in ROBD mode, so the code we type in, will automatically be encrypted by ARIV. There is no need to EOR the code ? by hand ?.
When the copylock is run, the key will be moved to register D0, disk-reading part are skipped and copylock will branch directly to the decrypter in end of copylock and game will be decrypted?
Find the next two copylocks and crack them the same way!
Write tracks back: ? WT 0 20 50000 ?
Reboot and have fun 🙂
If you would like a little trainer and get rid of the annoying commercials, keep reading.
I won?t show how to find the address to train (the real trainermakers can show how a prober trainer looks like ), but only how to apply the trainer.
This is a quickie, so don?t complain about it?
Read out the boot block to address 70000: ? RT 0 1 70000 ?
Assemble address 700C0 and code a little routine, that will move trainer from boot block and into address 100 upon game boot:
700C0; LEA 100,A0; destination address for trainer
700C6; LEA 70100(PC),A1; copy from offset $100 on disk
700CA; MOVE.W #200,D7; copy $200
700CE; MOVE.B (A1)+,(A0); copy
700D0; DBF D7,700CE; copy
700D4; JMP (A3); execute main loader
Assemble line 7005C which executes loader and change it to ? BRA 700C0 ?. This will call our copy routine.
Assemble 70100 and code trainer + kill commercials:
70100; MOVE.W #F0F,DFF180; flash screen
70108; MOVE.W #F,DFF180; flash screen
70110; BTST #6,BFE001; check for LMB
70118; BEQ 70126; if pressed, branch to 70126 and train game
7011A; BTST #A,DFF016; check for RMB pressed
70122; BEQ 7019A; if pressed, branch to 70019A and start normal game
70124; BRA 70100; loop till pressed
70126; MOVE.L #4E714E71,D0; fill D0 with opcodes for 2x NOP
7012C; MOVE.L D0,F99C; train game
70132; MOVE.W D0,F9A0; train game
70138; MOVE.L D0,F95C; train game
7013E; MOVE.W D0,F960; train game
70144; MOVE.L D0,F950; train game
7014A; MOVE.L D0,F954; train game
70150; MOVE.L D0,FA12; train game
70156; MOVE.W D0,FA16; train game
7015C; MOVE.L D0,110EE; train game
70162; MOVE.W D0,110F2; train game
70168; MOVE.L D0,F9A6; train game
7016E; MOVE.W D0,F9AA; train game
70174; MOVE.L D0,113DA; kill commercials
7017A; MOVE.L D0,11414; kill commercials
70180; MOVE.L D0,113D4; kill commercials
70186; MOVE.W D0,113D8; kill commercials
7018C; MOVE.L D0,1140E; kill commercials
70192; MOVE.W D0,11412; kill commercials
70198; CLR.L D0; set D0 to its original value
7019A; JSR 14FE8; jmp we took over, to call trainer
701A0; RTS; return to game
The trainer code will NOP code that both address that subtract and adds energy + life to the count addresses.
Commercials are skipped by NOP out the calls and the calls to delay routines.
Correct boot block checksum: ? BOOTCHK ? and write boot block back: ? WT 0 1 70000 ?
We just need to modify the game code to call our trainer code at address 100.
Read chump of disk to address 50000: ? RT 0 20 50000 ?.
We have a suitable ? JMP ? at line 6D4C6 to take over. Assemble this line and insert a ? JSR 100 ?. Write tracks back: ? WT 0 20 50000 ?
When screen flashes, press LMB for trainer + no commercials or RMB for normal game. Trainer will give you unlimited lives and energy.
Thanks to DLFRSILVER for supplying the original.
Dedicated to sweet sweet Victoria
Rob
Publication author
